This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.

This Website Uses CookiesBy closing this message or continuing to use our site, you agree to our cookie policy. Learn MoreThis website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.

How to Become a Customer-Facing Security Executive

Dave Tyson

"As CISOs and CSOs we are on a continuous journey to become real business partners and have a ruthless focus on business priority,” says Dave Tyson, Senior Director, Information Security, at S. C. Johnson & Son, Inc. Photo courtesy of Dave Tyson

Dave Komendat

“You have to have a big picture understanding of the business and inter-dependencies of your company. The only way to is to learn what’s important is to engage your internal business partners and glean what matters to them and their program(s),” says Dave Komendat, CSO at Boeing. “After clearly understanding what is important to my internal Boeing partners, I can then concentrate on developing the appropriately aligned service expectations and success metrics for my suppliers that support The Boeing Company.” Photo courtesy of Dave Komendat

Mike Howard

“Our vendors have to understand our strategy and where we are going as a company,” says Mike Howard, CSO at Microsoft, when talking about their customer-centric strategy. “People/Companies want to sell you products and services, but who is taking the time to study us, to understand our services and act accordingly? That’s how you take the vendor relationship to the next level. We expect our vendors to understand our mantra, which is “You have to have a strategy before you have technology.” We partner with various Microsoft business groups, and they don’t necessarily have to understand the security group. The idea is to make Microsoft as a company more efficient. That is a two-fold benefit for our sales team, as it showcases the technology that Microsoft is trying to sell, and allows us (the security group) an opportunity to understand the verticals of the company, making us smarter and helping the sales team to sell product with the company’s bottom line in mind.” Photo courtesy of Mike Howard

Michael Couzens

How does Michael Couzens, VP and CSO at Baker Hughes, take a customer relationship to the next level? “The customer should be at the forefront of any security design. Recognize that as times change, so do the needs and expectations of the customer. Today’s solution is unlikely to be a fix for tomorrow’s security challenge. Getting your own team to think about the customer and to challenge them to take steps to improve a relationship, solicit feedback, propose enhancements etc. Customers generally prefer bespoke solutions that are designed to meet their specific challenges and requirements. One size doesn’t fit all, interpretations and requirements differ. You have to be pragmatic, prepared to adapt and to act at their pace. In addition, you have to understand the customer’s regulatory framework and be prepared to demonstrate your own compliance, which provides confidence.” Photo courtesy of Michael Couzens

John Imhoff

John Imhoff, CSO at EY (formerly Ernst & Young), says that with regards to the company’s vendors, “When a service is critical we are big enough to do business only with reliable partners, so if a key partner doesn’t have the standards that we need in terms of their own resilience and internal controls, we will walk away. We can influence downstream, and we do that quite often.” Photo courtesy of John Imhoff

In early April, Wall Street’s oversight committee announced that bank’s oversight of cybersecurity measures at outside firms it does business with remains a work in progress, at best. It cited a survey of 40 banks that found that only about a third require their outside vendors to notify them of any breach to their own networks, which could in turn compromise confidential information of the bank and its customers.

Fewer than half the banks surveyed by the committee said they conducted regular on-site inspections to make sure the vendors they hire – like data providers, check-processing firms, accounting firms, law firms and even janitorial companies – are using adequate security measures, the report said. About half require vendors to provide a warranty that their products and data streams are secure and virus-free.

“Benjamin M. Lawsky, New York’s superintendent of financial services, whose office began surveying banks on digital security in October 2014, said the responses showed financial institutions need to do more to keep tabs on the outside firms that have access to their networks,” said a Wall Street Journalarticle on the topic. “Over the last year, financial regulators nationwide have increasingly focused on steps taken by banks and financial firms to not only safeguard their own networks, but to ensure the outside firms they use are adequately protected as well,” the article said.

A separate Forbesarticle by Betsy Atkins, titled “Why It’s Time For a Board-Level Cybersecurity Committee,” reported that up to $21 trillion in global assets could be at risk from cybercrime. “As digital security breaches escalate, corporate boards should be aware that providing oversight on cybersecurity risks is part of their fiduciary duty. Boards should form a dedicated cybersecurity technology committee that may require new candidates with computer security backgrounds,” Atkins wrote. “The board also should require management to present their policies on cyber security in written form in terms of security practices, standards, and protocols for responding to security breaches. The board also should be able to identify the manager responsible by title, and in what timeframe they are to respond to an intrusion. In the event of a cyber-breach, the board should schedule an update from the security committee on any forensic review. The company may need to disclose any data breach in SEC filings if the breach was material. Courts consider failure to disclose a cyber-attack as a ‘material omission,’ according to some interpretations of new SEC guidance on disclosure. In addition, the board should work with the general counsel to determine the extent to which existing directors and officer’s insurance coverage provides protection, and identify what issues should be overseen by the CIO, the board, or board/committee for action and/or approval.”

What does all of this mean? It’s an opportunity for you, if you are not already doing it, as CISO or CSO, to be the bridge connecting the two worlds of business and security and to be “customer facing.”

Possibly one of the biggest hurdles for some CSOs and CISOs is to understand they’re no longer the practitioners. The good ones realize this, and use their understanding of the security world to talk to their customers, to understand what they need and why they need it. Then they translate this to fit in with business objectives and explain it to the C-suite, to employees and to customers. By bridging these very different worlds, CSOs and CISOs can ensure that security has a seat at the “Customer Facing Board Table,” and keep security baked into the core of business driven decisions.

Depending upon your enterprise, your customer can take many shapes and forms, as seen by Dave Tyson, Senior Director, Information Security, at S. C. Johnson & Son, Inc. in Racine, Wisconsin, who has had the opportunity in several roles to be customer facing. His customer facing CISO role is one of “A relationship with business partners, including a growing and expanding field of vendor security, which entails evaluating and providing a high level of assurance that with that relationship, there is an appropriate amount of security,” he says.

Tyson, who is also the 2015 President of ASIS International, the first CISO to lead the organization, was previously CISO at Pacific Gas and Electric, the first power utility in the U.S. to develop and deploy the smart grid. “At the same time, people started to ask questions about the safety of the grid, so the California public utilities commission launched an investigation into the security and usability of smart meters,” he explains. “As the CISO, I had to publicly give information to convince the regulators that consumers were safe. It was one of the first times that a CISO was in front of a customer speaking publicly about a security issue.”

At eBay, where Tyson was Senior Director of Infosec Operations, he regularly engaged with other business teams, he says, in addition to using the public and eBay customers to identify risks to the enterprise. “Those are examples of how a CISO has to stand up in front of the public and do things differently now,” he says.

“The financial services industry is taking a battering right now [in the public eye],” he says. “I tend to come to their rescue and say that they are also the most under attack. While I was at eBay we got attacks all of the time, so when you are the proving ground for new attacks, you have to be at the top of your game. And the CISOs who are not necessarily in front of the public, they are still working hard every day to protect their customer’s investments.”

Tyson adds that around the world, many Board of Director teams now have what some refer to as their “designated geek” who “understands the technologies speak; a senior leader on the team who can ask the right questions of management so as to provide appropriate Board-level oversight of cyber risks. When I was at eBay, I was seven levels from the president of the company, so I had to rely on my CISO for that. When I was at PG&E, I could directly speak to the CEO and tell him my concerns. As CISOs and CSOs we are on a continuous journey to become real business partners and have a ruthless focus on business priority.”

The “Grow Guy”

Robert A. Messemer, Chief Security Officer at Nielsen, the world’s leading global consumer measurement company consisting of 40,000 employees and operating in more than 100 countries, was appointed the company’s first-ever CSO in 2007. His experience of customer facing within Nielsen is that: “The CSO/CISO role has always been an evolving role. As the business grows and matures, so must our role as a key leader to positively influence top-line growth.”

“Irrespective of our business, clients are more focused on cybersecurity than ever before,” Messemer explains. “No one should be better qualified within an organization to directly address these concerns both internally and externally than the CSO.”

For Messemer, close collaboration with business leaders positions him CSO to act as a trusted advisor on a broad spectrum of strategic risk issues, to include addressing client concerns for data protection and privacy. “In this way,” he says, “the business leadership perception of the CSO shifts positively from being perceived as the ‘No Guy’ to the ‘Grow Guy.’ Our senior business leaders, particularly in new business development, marketing and client service value my direct engagement with our clients, especially because it demonstrates our deep commitment to data protection and privacy concerns.”

Michael Couzens, VP & CSO at Baker Hughes, Enterprise Security, says that a number of corporate security teams still focus to a great extent on their internal customer and overlook the needs of the company’s external customer.

“There have recently been some well publicized security breaches where customer data may have been compromised or stolen,” he says, “and it is against this backdrop and a growing awareness of security risks that customers are rightly starting to ask more probing questions about the security their partners, vendors and suppliers provide. Increasingly security has become marketable and a competitive advantage. Companies need to able to give assurances about security, confidentiality, privacy, resilience, integrity and availability. A strong customer focus can be a significant contributor towards overall success and involves ensuring that all aspects of the company put its customers’ satisfaction first. The company that best anticipates, understands and exceeds customer expectations, in this respect, stands well positioned to gain market share.”

In this regard, the role of the CSO at Baker Hughes, he says, is to play a key part in building trust, transparency and confidence. The CSO has to be able to bridge between the business, the customer, vendors and regulatory authorities. Just as elsewhere in the business, they need to be customer-centric, focused on service delivery, execution, quality and reliability and customer satisfaction. Being visible and willing to talk openly about security and the value an enterprise places on security provides reassurance. “The CSO has to be prepared to meet with the customer, to listen to their requirements, solicit and act upon feedback and, seek to add value beyond the immediate terms of the contract or service being provided. It is worth asking yourself how well attuned are you to the voice of the customer and how easy is it for them to have their voice heard,” he says.

At Baker Hughes, one example of where Couzens and his team have developed excellent customer and vendor relationships is by collaborating on crisis management training and exercises. This has helped forge strong relationships, build trust and better prepare the organizations involved, for any future crisis, he says. Other areas where collaboration has improved the customer experience has included incident management, product design and integrated security solutions. “We have also been willing to share our knowledge and assist other security teams develop their policies, processes and systems,” he says. “Security is not just an add-on but a differentiator and marketable. Providing a trusted service can contribute towards significant revenue generation,” he explains.

Just as Couzens and his team seek to surpass their customers’ expectations, he says he expects the same from vendors. “Security partners should not only have a good understanding of our business but also the primary risks we face and the prevailing market conditions,” he says. “A mindset of enabling and contributing towards the success of the client is fundamental. There needs to be an open dialogue so that both sides can optimize the relationship while recognizing any constraints that may exist. There is merit in working together to collaborate on services and products for longer term benefit and to develop solutions for shared challenges. Like many others, within our contracts we set ‘stretch’ KPIs and meet regularly to discuss performance. We’ve considered including penalty clauses and incentives but have yet to fully introduce these, recognizing that security is a combined effort with shared responsibility for performance.”

Dave Komendat, CSO at Boeing, says CSOs need to be engaged with the business leaders within their company. The first dialogue you have with a key management official should not be as a result of a crisis. Engaging early and often to make sure that there is a known and trusted relationship is key. My team strives to be customer facing, he says. “The leadership team shouldn’t have to reach out with questions; they should already know the players, processes and procedures in advance.”

For example, during the April 2011 earthquake in Japan, Komendat says he happened to be awake around the time the earthquake struck (2:00 a.m. PST), so he immediately got in touch with senior leadership to assure them that he and his team were not only aware of the situation, but were already in the process of contacting Boeing employees in the country and employees in route to determine their health and the safety and of their families, and that he would be back in touch within two hours with an update of the situation. “That initial contact showed leadership that we were already engaged, and it gave our Crisis Management team the time it needed to fully assess the situation and the impact to our employees and operations in-country.”

John Imhoff, CSO at EY (formerly Ernst & Young), has worked specifically with procurement staff at the firm to ensure that language in contracts ensures that “key vendors are not exposing us,” he says. “And that happens at several levels. For example, Security has been involved in the designing of business continuity clauses for contracts to ensure that there is substance behind the words. Thirteen years ago when I started with this organization that was not the usual practice; it might have happened, but now, everyone is looking for that. There has been an evolution over the course of my tenure here.”

Imhoff is also partners with the company’s IT and privacy team to employ a platform used to respond to customer queries to inform of the company’s own business continuity, cyber physical security and privacy practices, to ensure regulation and implementation.

Frankly, with regards to the company’s vendors, Imhoff says “when a service is critical we are big enough to do business only with reliable partners, so if a key partner doesn’t have the standards that we need in terms of their own resilience and internal controls, we will walk away. We can influence downstream, and we do that quite often.”

Diane Ritchey has been Editor, Communications and Content for Security magazine since 2009. She has an experienced background in publishing, public relations, online content and communications. Within her role at Security, Ritchey authors the annual Security 500 Report, exclusive cover stories and the monthly Security Talk column.

Events

A critical event is defined as an incident that disrupts normal operations, such as severe weather, crime, violence and critical equipment or technology failures. Business continuity and crisis response plans can only go so far if there isn't buy-in across functions, with executive-level support.

In this webinar, security expert Pieter Danhieux explores how CISOs and CIOs can inspire real change, fostering a positive security culture that enables their development teams to become more security-aware, more aligned with internal AppSec specialists and, ultimately, securing code as it is written.

Products

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

Our special report this month features 26 security leaders who are changing the industry, inspiring many and leading with innovation. Security experts discuss the CCPA, public-private relationships, mobile device security and how aware employees can mitigate active shooter events and workplace violence.